[VIM] Re: Plans security question (fwd)
jericho at attrition.org
Thu Jun 30 17:18:04 EDT 2005
---------- Forwarded message ----------
From: Lloyd Dalton <daltonlp at gmail.com>
To: security curmudgeon <jericho at attrition.org>
Date: Thu, 30 Jun 2005 11:21:16 -0500
Subject: Re: Plans security question
Thanks for the note. I actually wasn't aware of the note on
securia. I suspect it was NoseyNick who posted it (he discovered the
The sql injection / xss vulnerability you mention was actually fixed
in 6.7.1 (not in 6.7.2). The version on securia is incorrect. It is
a separate issue from the password exposure issue. It also wasn't
described very well on the main page (it should say "Fixes for several
potential sql injection and cross-site scripting vulnerabilities")
Hope this helps,
- Lloyd Dalton
On 6/30/05, security curmudgeon <jericho at attrition.org> wrote:
> I saw the news entry dated Apr 30, 2005 for the SQL bug that could
> disclose the mySQL password. Updating to 6.7.1 fixes this.
> I also saw Secunia released information regarding an SQL injection attack
> in plans.cgi (http://secunia.com/advisories/15854/) on Jun 29, 2005. Their
> note says upgrading to 6.7.2 fixes this bug.
> I did not see mention of the plans.cgi SQL injection on your news site and
> was wondering if these really refer to the same vulnerability, or if this
> is two seperate issues?
> Thanks for any clarification!
More information about the VIM